IP Whitelisting

IP whitelisting allows enterprise users to restrict which client IP addresses can access their ThornGuard proxy. This is Step 3 in the security pipeline, checked immediately after authentication.

IP whitelisting is an Enterprise-only feature. Individual plan users have unrestricted IP access.

How It Works

Enterprise users configure an IP whitelist via the Settings page.
The whitelist is stored in the license_settings table as a JSON array.
On each request, ThornGuard checks the client’s IP (from the CF-Connecting-IP header) against the whitelist.
If the whitelist is empty, all IPs are allowed (default behavior).
If the whitelist is non-empty, only listed IPs are permitted — all others are blocked.

Configuration

Add IP addresses from the ThornGuard dashboard Settings page. Supported formats:

Single IP entries: 203.0.113.10
IPv4 CIDR notation: 198.51.100.0/24

Example Whitelist

["203.0.113.10", "198.51.100.0/24"]

Blocked Requests

When a request is blocked by IP whitelisting:

The proxy returns an HTTP 403 Forbidden response.
A BLOCKED_IP_WHITELIST action is logged in your audit trail.
The details field includes the blocked client IP.

{
  "error": "ThornGuard Security: IP not authorized."
}

Be careful when configuring IP whitelists — locking yourself out requires contacting support or using the Wrangler CLI to update your license_settings directly.

Getting Started

Security Features

Platform

How It Works

Configuration

Example Whitelist

Blocked Requests

Getting Started

Security Features

Platform

​How It Works

​Configuration

​Example Whitelist

​Blocked Requests

How It Works

Configuration

Example Whitelist

Blocked Requests